Earlier this week, the “Heartbleed” system vulnerability was announced. Heartbleed is a system bug that impacts the majority of worldwide websites, online systems and devices. Systems across all industries, including some in the Carlson brands, have been exposed to this vulnerability. The purpose of this communication is to update you on steps we have performed to remediate this condition and to provide you some common sense tips when accessing websites.
- What is the Heartbleed Bug?
The Heartbleed Bug is the name given to a vulnerability within the OpenSSL utility used to encrypt communications between computer systems, web applications, email exchanges, etc.
- Why is this vulnerability a serious concern?
Websites, computer systems and network devices throughout the world, previously thought to be secure (i.e., HTTPS), may not be secure. If a vulnerable website is exploited now that this vulnerability is common knowledge, passwords and other confidential data thought to be encrypted will be openly visible (i.e., unencrypted).
- Should I worry about this?
You shouldn’t worry, but you should have a heightened awareness about this vulnerability. Any device that uses OpenSSL (home routers, computers, personal websites, etc.) could be exposed. That said, many other versions of SSL utilities are not impacted by this vulnerability. Like any other computer vulnerability, it is important to be aware of the situation and to take actionable steps where necessary.
- What are we doing to protect our Carlson brand websites and systems?
Carlson Rezidor consumer-facing websites (www.clubcarlson.com, www.radisson.com, etc.) use the Akamai content-delivery network, and SSL operations are performed by Akamai web servers. Akamai has informed Carlson that our systems are updated and not vulnerable to this risk. Our Travel, Corporate, and Restaurant systems impacted by this vulnerability are being remediated by the support teams with an initial focus on systems accessible from the Internet.
In addition to the remediation being performed by the support teams, the business area security teams have implemented detection and, where available, prevention controls for this issue. These controls will notify security personnel if an attacker is trying to exploit this vulnerability on our systems. Over the next few days, you will be requested to change certain passwords as deemed necessary by the internal Carlson security and operations teams.
- How do I know if I’m accessing a vulnerable website or if it has been fixed?
There are many free tools that allow you to scan websites for this specific Heartbleed vulnerability. If you access websites where you provide secure passwords or exchange confidential data for personal or professional purposes, you may want to test the site first to verify this vulnerability does not exist or that it’s been fixed. If you would like to know if a website is safe, the password security firm LastPass has set up a Heartbleed Checker at https://lastpass.com/heartbleed. This lets you enter the URL of any website to check its vulnerability to the bug and it will tell you if the website has issued a patch. The page http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ provides a useful list of popular websites and their vulnerability status.
- Should I change all of my online passwords?
This answer depends on whether or not the website you are accessing has been fixed. If the website hasn’t been fixed, you should wait to change your password until it is fixed. Once you are sure that sites have been fixed, it is recommended that you change your password for all online accounts (i.e., banking, healthcare, social, etc.). As always, be wary of password reset links you receive via emails. When resetting passwords, it is a better practice to visit websites directly by typing the address directly into your Internet browser.
Questions:
To learn more about the Heartbleed vulnerability, http://www.heartbleed.com/ is a good starting place. For more specific questions, email the Carlson Information Security team.